This March, thousands of fraudulent emails containing links leading to scam invitations and offers of free electronic devices were sent to PHS students and staff. The accounts of PHS staff and students who clicked on the links were compromised, with some of these accounts used to send out even more phishing emails. The district is currently working to improve security.
“This attack accessed their contacts, their giant address book, and sent out an email that looked [like it was] from that person, and that went out to thousands of people in our domain,” said PPS Chief Technology Officer Todd MacDonald.
PPS Superintendent Michael LaSusa explains that this attack, as well as others, has a broader impact on the district, all the way from minor student disruptions to affecting larger administrative functions. One example of this is PHS emails, such as Birge’s Sunday Night Message, automatically being labeled as spam for some parents’ accounts. This is due to a rating emails receive, that is based on the security of an account, and can be lowered once this email acquires a history of phishing.
“The first impact is probably one of inconvenience, because our tech staff frequently have to go in and freeze an account and make sure that whatever the scheme is trying to accomplish doesn't accomplish that scheme,” said LaSusa. “Secondarily, beyond students, I've learned that our email integrity is rated, and if our rating declines, other servers send back our emails.”
While losing information is the most common consequence of phishing attacks, occasionally, they can cause further damages.
“[Phising is] a lot more deceiving for students in particular,” said Birge. “In addition to [those] two incidents where students lost a small amount of money, we've recognized that [it has] a real consequence.”
The attacks consisted of many waves, each attempting to get hold of students’ information through different forms. MacDonald describes one of the waves, where phishers took over students’ accounts and sent out fake invitations to parties.
“That specific round of emails was an invitation that looked like a [document] to click on that went to a fake Canva. But I believe that one of them is [to] log in to view it. That was their way of trying to get people to log into it if somebody then fell for that attack,” said MacDonald.
Dzbenski noted that the emails were hard to discern as scam emails due to their sophistication. Felix Yu ’27 received one of these emails and clicked on the link.
“It was from Brian Dzbenski’s official email. So I thought it was like an official invitation for some sports thing. So I clicked on it, and I thought it also looked pretty official.”
To ensure that Yu’s information was not used by phishers and prevent any future scams, the tech office changed his password and made it more secure. Another student who clicked on this link, Viola Que ’27, also gave her information to the site, though her account was not compromised. Que described what she learned from her experience.
“If there is something I'm unsure about, or an email or some type of thing that…looks a little bit suspicious. I'll definitely take caution and kind of investigate further on who the sender is, what the link or what information they're sending in the email,” said Que.
PHS Principal Cecilia Birge explained that attacks like these occur frequently, but are often caught early, preventing them from leading to widespread consequences.
“[The tech office] in the background gets attacked every single day with multiple things, and we've seen a couple of leaks that went through the protection firewall,” said Birge. “So what we're seeing is less than one percent of what they're [actually] getting.”
For those whose accounts were compromised, the tech office needed to take further action to secure their information.
“To protect the organization, we disable the account right away, so the data at that point can no longer be accessed by an outside, third party account,” said MacDonald.
MacDonald highlighted that, while the attack may seem insignificant initially, they often snowball to affect a large number of students, making it harder for the tech office to control.
“One person kind of falls for it occasionally has a cascading effect on others…as soon as somebody else gets successfully phished, it kind of starts over again. So it leaves us just playing catch up,” MacDonald explained.
High schoolers may be more prone to attacks because they lack the two-factor authentication that staff members have for their email accounts. While district staff have a higher level of security, students do not.
“We make [the teachers] log in with another virtual other verification code, so we have security for people that have high level access. For students we don't, so for students that live so much [of] their lives online, not having two factor authentication for them [is] a risk.” said MacDonald.
To avoid being phished or hacked, MacDonald advises PHS students to be skeptical about certain emails.
“Be suspicious if it's from an outside group, be suspicious if it's giving away electronics,” said MacDonald. “Students fall for those things. Those are things that sound too good to be true. It probably is. So just be cautious.”
Beyond caution, LaSusa emphasized the importance of ensuring that high school students have access to information about internet security and how to avoid phishing attacks, suggesting ways to improve digital literacy in the future.
“Having orientations about proper tech use is a good idea,” said LaSusa. “I think having some type of required training and then ongoing testing or probing is [also] a good idea for students.”